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Response to Amendment 

This office action is responsive to Applicant's amendment received on Sep. 12, 
2005. Claims 1-2, and 13-18 are cancelled. Claims 3-12 are amended. Claims 19-26 
are added. Claims 3-12 and 19-26 are pending. 

Response to Arguments 

Applicant's arguments with respect to claims 3-12 and 19-26 have been 
considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

Claims 3-12 and 19-26 are rejected under 35 U.S.C. 102(b) as being anticipated 
by Barkley et al., (U.S. Patent No. 6,202,066 and Barkley hereinafter). 

Regarding claims 19, 23, and 25, Barkley discloses a computer-implemented 
method for enforcing role-permission security administration using security objects 
stored in a security repository (i.e., associating permissions with roles or groups and 
moving users in and out of these roles or groups), comprising steps of: 
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storing, in a security repository (i.e., it is inherent that such association has to be 
stored in the computer system for later retrieval), a plurality of security objects, wherein 
each of the security objects corresponds to a single role (i.e., an access control policy 
which uses roles or groups defines an association between a role or group and the 
permissions for that role or group)(Col. 6, lines 40-67 and Col. 7, lines 1-20); 

specifying, in each of the security objects, all permissions granted to the 
corresponding role, wherein each of the specified permissions identifies at least one 
resource and, for each resource at least one action that can be performed on the 
resource by subjects granted the corresponding role (i.e., this association can be 
represented as a 3-tuple: [role or group; object; {permitted operations on the 
object}))(Col. 6, lines 40-67 and Col. 7, lines 1-20); 

wherein selected ones of the resources are identified in the specified permissions 
of more than one of the security objects and wherein the specified permissions for at 
least one of the security objects identifies a plurality of resources and for each of the 
plurality of resources, at least one of the actions (i.e., all of the objects assigned to a 
given OAT may be accessed identically by the members of each of the roles assigned 
to that OAT. Of course, the same objects may be assigned to more than one OAT; just 
as the members of a given role may be assinged differing permissions with respect to 
various groups of files by being assigned membership in differing OATs)(Col. 11, lines 
20-67 and Col. 12, lines 1-50); and 

using the stored security objects to determine whether run-time requests for 
performing actions on the resources can be granted (Col. 3, lines 9-24). 
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Regarding claims 20, 22, 24, and 26, Barkley discloses where the using step 
further comprises, for each of the run-time requests, the steps of: 

determining, for the run-time request, a requester from which the request was 
received, and a particular action being requested on a particular resource, determining 
one or more roles granted to the requester (Col. 8, lines 24-44), and until determining 
that the request can be granted or exhausting the determined roles, iteratively 
accessing the security object corresponding to each one of the determined roles and if 
the accessed security object identifies the requested action on the requested resource, 
then determining that the request can be granted (Col. 1 1 , lines 20-67 and Col. 12, lines 
1-50). 

Regarding claim 21 , Barkley discloses wherein the step of determining one or 
more roles further comprises, the steps of: 

using an identification of the requester as a user identification to consult a 
mapping that specifies (Col. 1, lines 30-54), for each of the plurality of subjects, one or 
more roles associated therewith, wherein each of the subjects is specified as at least 
one of (1 ) an identification of one or more users (2) an identification of one or more user 
groups there by determining each role associated with the identification of the requester 
(Col. 2, lines 47-67 and Col. 3, lines 1-24); 

determining one or more user groups of which the requester is a member (Col. 8, 
lines 24-44), and using each of the determined user groups as a user group 
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identification to consult the mapping thereby determining each role associated with the 
determined user groups (Col. 11, lines 20-67 and Col. 12, lines 1-50). 

Regarding claims 3-12, Barkley discloses wherein at least one of the resources is 
any resource that is expressible to the security system and each of the at least one 
actions identified for the at least one resource are selected from a set of actions that are 
permitted on that resource (Col. 10, lines 45-67 and Col. 11, lines 1-40). 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Arezoo Sherkat whose telephone number is (571 ) 272- 
3796. The examiner can normally be reached on 8:00-4:30 Monday-Friday. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



Arezoo Sherkat 
Patent Examiner 
Group 2131 
Nov. 16, 2005 





